ebd6f89eb003af3893c5ea11032fac4b58c2837119228db862a92de62241e0e7

Analysis

max time kernel
128s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
06-03-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b66b625fac60d06e64a4ad3e4ae1c00d.dll
Size

1.4MB
MD5

b66b625fac60d06e64a4ad3e4ae1c00d
SHA1

569cc0cb9477bf2f07e01b27353d20b64c501fa1
SHA256

ebd6f89eb003af3893c5ea11032fac4b58c2837119228db862a92de62241e0e7
SHA512

d08fbb56229432269c878d4bfcce82bf2521a84c1e536862d526235fba842dcc0c79061bbdeb627cf92a8f3989ff7739c944d051b132ecd5c5c4542d8a647caf
SSDEEP

24576:wZ5LzygEGoYkR4HYYAmax3ksunYLw2kXPIShK5TwL6fjjkPPLkDlxpQfjqtd5vYT:wPzygEGRD4YAmKkssePqK1AKjjXCq31i

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1284	f780474.exe

Loads dropped DLL 9 IoCs

pid	Process
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
2868	regsvr32.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe
2148	WerFault.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2868	regsvr32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2148	1284	WerFault.exe	33

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 2868	1600	regsvr32.exe	28
PID 1600 wrote to memory of 2868	1600	regsvr32.exe	28
PID 1600 wrote to memory of 2868	1600	regsvr32.exe	28
PID 1600 wrote to memory of 2868	1600	regsvr32.exe	28
PID 1600 wrote to memory of 2868	1600	regsvr32.exe	28
PID 1600 wrote to memory of 2868	1600	regsvr32.exe	28
PID 1600 wrote to memory of 2868	1600	regsvr32.exe	28
PID 2868 wrote to memory of 1284	2868	regsvr32.exe	33
PID 2868 wrote to memory of 1284	2868	regsvr32.exe	33
PID 2868 wrote to memory of 1284	2868	regsvr32.exe	33
PID 2868 wrote to memory of 1284	2868	regsvr32.exe	33
PID 1284 wrote to memory of 2148	1284	f780474.exe	34
PID 1284 wrote to memory of 2148	1284	f780474.exe	34
PID 1284 wrote to memory of 2148	1284	f780474.exe	34
PID 1284 wrote to memory of 2148	1284	f780474.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b66b625fac60d06e64a4ad3e4ae1c00d.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b66b625fac60d06e64a4ad3e4ae1c00d.dll
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\f780474.exe
    "C:\Users\Admin\AppData\Local\Temp\f780474.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 532
      4⤵
      Loads dropped DLL
      Program crash
      PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\f780474.exe

Filesize
21KB

MD5
858939a54a0406e5be7220b92b6eb2b3

SHA1
da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

SHA256
a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

SHA512
8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

Download Submit
memory/1284-41-0x0000000071FD0000-0x00000000726BE000-memory.dmp

Filesize
6.9MB

Download
memory/1284-40-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2868-15-0x0000000003E50000-0x0000000003ED9000-memory.dmp

Filesize
548KB

Download
memory/2868-17-0x0000000003EE0000-0x0000000003F65000-memory.dmp

Filesize
532KB

Download
memory/2868-9-0x0000000010000000-0x0000000010171000-memory.dmp

Filesize
1.4MB

Download
memory/2868-13-0x0000000000210000-0x00000000002A0000-memory.dmp

Filesize
576KB

Download
memory/2868-14-0x00000000027A0000-0x0000000003E45000-memory.dmp

Filesize
22.6MB

Download
memory/2868-0-0x0000000010000000-0x0000000010171000-memory.dmp

Filesize
1.4MB

Download
memory/2868-16-0x0000000003EE0000-0x0000000003F65000-memory.dmp

Filesize
532KB

Download
memory/2868-8-0x0000000000210000-0x00000000002A0000-memory.dmp

Filesize
576KB

Download
memory/2868-19-0x0000000003EE0000-0x0000000003F65000-memory.dmp

Filesize
532KB

Download
memory/2868-20-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2868-21-0x0000000000070000-0x0000000000074000-memory.dmp

Filesize
16KB

Download
memory/2868-22-0x0000000000080000-0x0000000000086000-memory.dmp

Filesize
24KB

Download
memory/2868-5-0x0000000000210000-0x00000000002A0000-memory.dmp

Filesize
576KB

Download
memory/2868-39-0x0000000010000000-0x0000000010171000-memory.dmp

Filesize
1.4MB

Download
memory/2868-4-0x00000000026F0000-0x0000000002793000-memory.dmp

Filesize
652KB

Download
memory/2868-1-0x0000000010000000-0x0000000010171000-memory.dmp

Filesize
1.4MB

Download